Starting next week, brick-and-mortar merchants in the United States must be ready to accept EMV (chip-based) credit and debit cards. If not, they - and not the card issuer - will become responsible for the liability resulting from fraudulent transactions.
(EDITOR'S NOTE: There are some exceptions to the rule, so it's always a good idea to ask your bank, acquirer and processor what your EMV responsibilities are and what your liability is.)
EMV - which stands for Europay, MasterCard and Visa, but is now managed by EMVCo - is a standard that makes payment cards nearly impossible to copy, meaning merchants can significantly reduce the possibility of accepting counterfeit cards. Unlike with traditional cards where data is encoded on magnetic stripes, EMV moves the sensitive data to an embedded microprocessor chip, which creates a unique transaction code for each purchase to perform authentication, verification and authorization.
The EMV standard, which is sometimes called chip-and-PIN or chip-and-signature, has existed for many years in some 80 other countries - most commonly in Europe and Canada - but makes up just a tiny fraction of the credit card transactions in the United States. Thus it's not a huge surprise that with an Oct. 1 deadline rapidly nearing, the majority of U.S. merchants (many of them small and midsize companies) are not EMV-ready. Meanwhile, more than half of American consumers don't know what a chip card is, never mind have received one.
EMV has been widely successful in trimming down fraud on face-to-face transaction, with European Union countries reportedly seeing an 80 percent reduction in card-present fraud since the standard was deployed. However, EMV won't signal the end of financial deception anytime soon.
With a new challenge staring them in the face, cybercriminals undoubtedly will get better at creating counterfeit chip cards and compromising EMV card readers. But what's far likelier - at least in the short term - is that fraud simply will shift to another channel, as for example, was evidenced in the U.K. which saw online, or card-not-present, fraud soar dramatically after the introduction of EMV because no chip is required during purchase. And experts said a similar fate awaits the United States, where research firm Aite Group predicts online fraud will more than double between 2015 and 2018.
But a bigger point to hammer home is that while the EMV standard may limit fraud or force it to migrate somewhere else, it won't stop credit card theft from happening in the first place. Breaches will still continue to roll in, and the retail industry will remain one of the biggest targets, especially e-commerce companies.
As Trustwave VP of Managed Security Testing Charles Henderson said recently: "From a criminal's perspective, if I'm going to look for cards I can use in card-not-present fraud, I'm going to look for a card-not-present target. This should be the million-dollar eureka moment for card-not-present retailers. That's why they should be paying attention."
While EMV is an important step to take to hamper consumer fraud (and limit your own liability), you should also ensure you have implemented a layered breach defense to help derail a successful attack on your company. If you lack the in-house resources and expertise to do it yourself, you may consider turning to a trusted managed security services provider for help on all or some of your data protection.
Regardless of the delivery model, your defense strategy should include:
Weak passwords and weak remote access (which contributed to 94 percent of point-of-sale breaches that Trustwave investigated last year) are just two of many exposure points you need to evaluate in order to stymie data breaches. Conducting regular vulnerability scanning and penetration testing across databases, networks, and applications can allow you to identify these deficient areas and make yourself a far less attractive target.
Web Security Gateway
Custom-designed malware that sniffs for credit card numbers is commonly unleashed into cardholder environments during compromises as a way to exfiltrate the targeted data. You should turn to a solution that can identify and block advanced malware and zero-day threats in real time.
You also need to be alerted as early as possible to threats so you can limit damage and losses. SIEM solutions can help you quickly understand what the intruders have accomplished, which systems they have compromised and how to halt them in their tracks before they can impart any further damage.
End-to-end encryption takes EMV a step further by encrypting the data at the moment it enters the environment, typically at the swipe/tap/input. Tokenization permits you to store tokens of your customer's payment data, facilitating processes like recurring and subsequent billing, without the risk of storing your customer's actual payment card data, which is instead stored securely in a third-party facility.
Web Application Firewall
Website security is already critical for e-commerce vendors and may become even more important as it becomes more difficult to commit fraud in card-present environments. Web application firewalls inspect web traffic and block common web attacks, like cross-site scripting and SQL injection.
Security Education Awareness
In many cases, employees and vendors (or other third-parties) are the source of a data compromise. For example, they click on an email attachment or follow a link that invites malware onto their internal workstation and laterally moves through the corporate network. To make them less prone to falling for a ruse, these workers must be trained regularly on acceptable use and incident response. Remember, you're only as strong as your weakest link.
EMV makes it harder to clone a physical card. But as we've said, it won't apply to or help web-based retailers, so they'll have to consider alternatives for verifying transactions as legitimate. One option is to deploy an additional authentication step, such as requiring the customer to enter something only they know, like an online PIN.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.